Talk:Internet Protocol security architecture

From Citizendium, the Citizens' Compendium
Jump to: navigation, search
This article is developing and not approved.
Main Article
Talk
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
To learn how to fill out this checklist, please see CZ:The Article Checklist. To update this checklist edit the metadata template.
 Definition A structure and set of abstract techniques for implementing various security features, according to the requirements of a specific security policy, in Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) [d] [e]

Too many articles?

We currently have this article, IPSec which redirects here, and IPsec which goes into a lot more detail. Do we need some merging? I think there's a valid architecture/implementation distinction, so we might need two articles. However, I'm not sure the current articles fit the bill. Sandy Harris 04:55, 1 March 2010 (UTC)

Good point

I don't usually think packet formats are appropriate to an architecture. From the IETF architecture table of contents, RFC 4301, major headings:

  3. System Overview .................................................7
     3.1. What IPsec Does ............................................7
     3.2. How IPsec Works ............................................9
     3.3. Where IPsec Can Be Implemented ............................10
  4. Security Associations ..........................................11
     4.1. Definition and Scope ......................................12
     4.2. SA Functionality ..........................................16
     4.3. Combining SAs .............................................17
     4.4. Major IPsec Databases .....................................18
          4.4.1. The Security Policy Database (SPD) .................19
          4.4.2. Security Association Database (SAD) ................34
          4.4.3. Peer Authorization Database (PAD) ..................43
     4.5. SA and Key Management .....................................47
          4.5.1. Manual Techniques ..................................48
          4.5.2. Automated SA and Key Management ....................48
          4.5.3. Locating a Security Gateway ........................49
     4.6. SAs and Multicast .........................................50
  5. IP Traffic Processing ..........................................50
  • Presumably transport mode gets defined here?
     5.1. Outbound IP Traffic Processing
          (protected-to-unprotected) ................................52
          5.1.1. Handling an Outbound Packet That Must Be
                 Discarded ..........................................54
          5.1.2. Header Construction for Tunnel Mode ................55
  6. ICMP Processing ................................................63
  7. Handling Fragments (on the protected side of the IPsec
     boundary) ......................................................66
     7.1. Tunnel Mode SAs that Carry Initial and Non-Initial
          Fragments .................................................67
     7.2. Separate Tunnel Mode SAs for Non-Initial Fragments ........67
     7.3. Stateful Fragment Checking ................................68
     7.4. BYPASS/DISCARD Traffic ....................................69
  8. Path MTU/DF Processing .........................................69
     8.1. DF Bit ....................................................69
     8.2. Path MTU (PMTU) Discovery .................................70
          8.2.1. Propagation of PMTU ................................70
          8.2.2. PMTU Aging .........................................71
  9. Auditing .......................................................71

This, presumably, is the right level of detail, with contextualization about the non-protocol aspects. --Howard C. Berkowitz 09:11, 1 March 2010 (UTC)